search

justinmayer / kagi

WebAuthn security keys and TOTP multi-factor authentication for Django
BSD 2-Clause "Simplified" License
91 stars 10 forks source link

"unspecified certificate verification error" when WEBAUTHN_TRUSTED_ATTESTATION_CERT_REQUIRED = True #47

Open johnmcc3 opened 2 years ago

johnmcc3 commented 2 years ago

Whenever attestation is enabled in settings.py, new keys are unable to be enrolled.

django debug log:

[04/Jan/2022 10:36:17] "GET /kagi/add-webauthn-key/ HTTP/1.1" 200 3940
[04/Jan/2022 10:36:24] "POST /kagi/api/begin-activate/ HTTP/1.1" 200 463
/path/to/virtualenv/lib64/python3.9/site-packages/OpenSSL/crypto.py:1837: CryptographyDeprecationWarning: This version of cryptography contains a temporary pyOpenSSL fallback path. Upgrade pyOpenSSL now.
  self._store_ctx, self._store._store, self._cert._x509, self._chain
Unable to verify certificate: [1, 0, 'unspecified certificate verification error'].
[04/Jan/2022 10:36:26] "POST /kagi/api/verify-credential-info/ HTTP/1.1" 400 105

relevant package versions (all up to date as of the time this issue was submitted):

$ pip list
Package              Version
-------------------- ---------
cryptography         36.0.1
pyOpenSSL            21.0.0

relevant items from settings.py:

WEBAUTHN_TRUSTED_CERTIFICATES = '/path/to/trusted_attestation_roots/'
WEBAUTHN_TRUSTED_ATTESTATION_CERT_REQUIRED = True
WEBAUTHN_SELF_ATTESTATION_PERMITTED = False
WEBAUTHN_NONE_ATTESTATION_PERMITTED = False
$ ls -l /path/to/trusted_attestation_roots/
total 4
-rw-rw-r--. 1 django django 1143 Nov 11 10:43 yubico_u2f_device_attestation_ca.pem

$ cat yubico_u2f_device_attestation_ca.pem:
-----BEGIN CERTIFICATE-----
MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ
dWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw
MDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290
IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk
5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep
8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw
nebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT
9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw
LvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ
hjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4
MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt
hX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k
LVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U
sG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc
U9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==
-----END CERTIFICATE-----